Modular arithmetic coprocessor comprising an integer division circuit

ABSTRACT

A modular arithmetic coprocessor designed to perform computations according to the Montgomery method includes a division circuit to perform integer divisions. The integer division circuit computes the division of a binary data element A encoded on n+n (bits by a binary data element B encoded on n bits, A, B, n, n&#39; and n&#34; being on-zero integers. For this function, the integer division circuit includes: a first n-bit register and a second n-bit register to contain the binary data element A and the result of the division, a third n-bit register to contain an intermediate result, a fourth n-bit register to contain the binary data element B, two subtraction circuits each having a first series input and a second series input and a series output, and a test circuit having an input and an output.

The invention relates to a modular arithmetic coprocessor comprising aninteger division circuit. Modular arithmetic coprocessors are used inencryption and/or decryption circuits. The use of these coprocessorsenables the considerable acceleration of the operations of encryptionand/or decryption using the Montgomery method. Systems of this kind aremuch used in chip cards using, in particular, the RSA code.

The RSA code is a mathematical encoding method where a binary message Mencoded on n bits is processed as an integer of n bits. The encryptionand decryption are achieved by modular exponentiation operations:

encryption: M'=M^(e) mod N,

decryption: M=M'^(a) mod N.

M' is the encrypted message encoded on n bits, N is an integer encodedon n bits such that N=p*q, p and q being two prime numbers. Theexponents e and d are two whole numbers such that (e*d) mod Φ(N)*1, withΦ(N)=(p-1)*(q-1). A code of this kind therefore has two keys: one is anencryption key known as a public key (e and N) and the other is adecryption key called a secret key (d and N).

To find the secret key from the public key, it is enough to carry outthe following operation: d=(1+K*Φ(N))/e, K being an integer coefficientthat is not zero. The security of a code of this kind actually relatesto the complexity of the operations to be performed. To find the secretkey, it is necessary to factorize N into prime numbers. The greater thenumbers p and q, the greater is the amount of time required for thisoperation (in practice p and q are encoded on a few hundreds of bits).Indeed, it is necessary to make successive tests on the divisibility cfN by all the integers encoded on 2 to n/2 bits.

It is quite possible to look for a secret key on the basis of the publickey, provided that several hundreds of years are devoted to the task.However, certain uses of RSA codes may require changes of key that callfor a computation of the keys. Computations of this kind use operationsof division on big numbers.

In chip cards, the encryption circuits make use of amicroprocessor-coprocessor type of architecture. The microprocessor is astandard 8-bit or 16-bit type of microprocessor. The coprocessor is amodular arithmetic coprocessor, for example of the same type as the onedescribed in the European patent application referenced EP-A-0 601 907(hereinafter called D1). The coprocessor is illustrated in FIG. 1 (thisfigure corresponds to FIG. 2 of the European patent application referredto).

To carry out the division operations, the coprocessor is of no use.Therefore, the division takes place in the microprocessor. The fact ofcarrying out the division in the microprocessor requires a considerableamount of time because the microprocessor is not capable of directlyprocessing large-sized data elements (for example 512 bits).Furthermore, the program that enables this division to be carried outwill take up a considerable amount of memory space (a code associatedwith the program) and will use working memory space to perform itscomputations. For a chip card, it is therefore very difficult to be ableto recompute keys from different public keys (e and N).

The invention proposes the addition, in an modular arithmeticcoprocessor, of a computation circuit specially designed to performdivisions on big numbers. Since the division circuit does not have touse a large amount of additional space, this circuit uses resourcescommon to the modular operations performed according to the Montgomerymethod which are already present in a modular arithmetic coprocessor.Thus, the fact of making a computation circuit specific to the divisionon the modular arithmetic coprocessor enables a chip card to carry out acomputation of keys without any noteworthy increase in the size of theintegrated circuit. The invention also proposes a method for the makingof a division using a circuit of this kind.

An object of the invention therefore is a modular arithmetic coprocessordesigned to perform computations according to the Montgomery methodcomprising a division circuit wherein the division circuit comprises atest circuit having one input and one output to perform integerdivisions by numbers that are different from a power of two.

The invention more particularly describes an integer division circuitthat computes the division of a binary code A encoded on 2* n bits by abinary data element B encoded on n'+n" bits, A, B, n, n' and n" beingnon-zero integers, the circuit comprising: a first n'-bit register and asecond n"-bit register to contain the binary data element A and theresult of a division, a third n-bit register to contain an intermediateresult, a fourth n-bit register to contain the binary data element B.

Since the division circuit can be borre on several coprocessors, theinvention also has as its object an arithmetic coprocessor comprising aninteger division circuit that computes the division of a binary dataelement A encoded on n'+n" bits by a binary data element B encoded on nbits, A, B, n, n' and n" being non-zero integers wherein the integerdivision circuit comprises: a first n'-bit register and a second n"-bitregister to contain the binary data element A and the result of thedivision, a third n-bit register to contain an intermediate result, afourth n-bit register to contain the binary data element B, twocascade-connected subtraction circuits each having a first series inputand a second series input and a series output, a test circuit having aninput and an output.

An object of the invention also is a method for carrying out an integerdivision of a first number, encoded on n'+n" bits, by a second numberencoded on n bits, using a modular arithmetic coprocessor comprisingfirst, second, third and fourth n-bit shift registers, a first seriessubtraction circuit and a second series subtraction circuit, a testcircuit wherein said method comprises the following steps:

E1: the loading, into the first and second registers, of the firstnumber, the resetting of the third register with zeros, the loading intothe fourth register of the second number, the resetting at zero of thetest circuit,

E2: the shifting, by one bit, of the third and fourth registers, thethird register recovering, as a most significant bit, the mostsignificant bit of the second register, the fourth register having itsoutput connected to its input, the subtraction, in the secondsubtraction circuit, of the least significant bit of the fourth registerfrom the most significant bit of the second register, the firstsubtraction circuit performing a subtraction of zero from the leastsignificant bit of the third register,

E3: the shifting by n-1 bits of the third and fourth registers, theoutput of the fourth register being connected to its input, the input ofthe third register being connected to the output of the firstsubtraction circuit, the subtraction, from the n-1 bits coming out ofthe third register, of zero in the first subtraction circuit, thesubtraction, from the output of the result coming out of the firstsubtraction circuit, of the bits of the fourth register,

E4: the storage of the last carry value of the second subtractioncircuit in the test circuit and the production, at the output of thistest circuit, of a binary data element whose value is equal to thecomplement of the memorized carry value,

E5: the shifting by one bit of the first and second registers, the mostsignificant bit of the first register being loaded as a leastsignificant bit of the second register, the binary data elementmemorized in the test circuit being loaded as a least significant bit inthe first register,

E6: the resetting of the first and second subtraction circuits,

E7: the repetition, 2*n-1 times, of the steps E2 to E6, the firstsubtraction circuit performing a subtraction, from the contents of thethird register, of zero if the previously memorized carry value is equalto one, the first subtraction circuit performing a subtraction, from thecontents of the third register, of the contents of the fourth registerif the previously memorized carry value is equal to zero.

The invention will be understood more clearly and other features andadvantages shall appear from the following description of an embodimentof the invention, given by way of an indication that in no way restrictsthe scope of the invention, with reference to the appended drawings, ofwhich:

FIG. 1 gives a schematic view of a modular arithmetic coprocessor usingthe Montgomery method according to the art,

FIG. 2 gives a schematic view of a division circuit according toinvention,

FIG. 3 a schematic view of a modular arithmetic coprocessor using theMontgomery method that possesses a division circuit according to theinvention.

FIG. 1 gives a schematic view of a modular arithmetic coprocessor 1 forthe processing of modular operations using the Montgomery method.

It comprises:

three shift registers 10, 11 and 12 with series input and output. Eachof these registers has one and the same number n of cells, with n=m*k.These registers may be capable of being subdivided, for example intoregisters of n/2 cells and into registers of k bits for the registers 10and 12;

multiplexers 13, 14 and 15 are placed respectively before the registers10, 11 and 12. Multiplexers will also be placed before the subdivisionsif these exist;

three registers 16, 17 and 18 each comprising k cells. The registers 16,17 and 18 are registers with parallel outputs and series inputs;

two multiplication circuits 19 and 20 each comprising a series input, aparallel input and a series output. The parallel input of themultiplication circuit 19 is connected to the output of the register 16by means of a storage flip-flop circuit 21 with k cells. The parallelinput of the multiplication circuit 20 is connected to one of theoutputs of the registers 17 or 18, by means of a storage flip-flopcircuit 22 with k cells. This flip-flop circuit 22 is itself connectedto one of the outputs of the registers 17 and 18 by means of amultiplexer with two parallel inputs and one parallel output;

multiplexers 24, 25, 37, 26, 36 and 38;

a demultiplexer 39;

series subtraction circuits 27, 28 and 29;

series addition circuits 30 and 31;

delay circuits 32, 33 and 34 to delay the propagation of binary dataelements by k cycle periods;

a circuit 35 for the storage of comparison results.

For greater detail, reference may be made to the document D1 andespecially to FIG. 3 of this document and to the extracts from thedescription pertaining thereto: page 15, line 54 to page 16, line 13,and page 17, line 50 to page 18, line 55.

The invention consists of the addition of a division circuit to thiscoprocessor 1. However, so as not to increase the size of thiscoprocessor excessively, the division circuit has elements alreadypresent in this coprocessor. Thus, the division circuit shown in FIG. 2has:

four n-bit shift registers 10, 11, 12 and 40, in the present exemplaryembodiment, each having one input and one series output,

six multiplexers 13, 14, 15, 37, 41 arid 42, the outputs of themultiplexers 13, 14, 15 and 41 being connected respectively to theinputs of the registers 10, 11, 12 and 40, the output of the multiplexer37 being connected to the second input of the subtraction circuit 28 andthe output of the multiplexer 42 being connected to the first input ofthe subtraction circuit 29, these multiplexers being used to set updifferent connections needed for the working of the circuit,

two subtraction circuits 28 and 29, each having two inputs and oneseries output, these circuits performing bit-by-bit subtractionoperations synchronously. The document Dl in FIG. 8 shows an embodimentof these subtraction circuits 28 and 29),

a test circuit 35 having one input and one output (in fact only oneinput and one output are necessary for the division circuit, althoughthis circuit 35 has two inputs and two outputs).

For the division circuit, several connections are made. Some of them maybe wired directly and. others by means of the multiplexer 13, 14, 15,37, 41 and 42. However, certain connections may be made by means ofelements of this coprocessor 1 that are rendered transparent (namelyinoperative) and are not shown in FIG. 2.

Thus we have:

the output of the register 40 connected to the input of the register 10by means of the multiplexer 13,

the output of the register 10 connected to the input of the register 11by means of the multiplexer 14,

the output of the register 10 connected to the input of the subtractioncircuit 29 by means of the multiplexer 42,

the output of the subtraction circuit 28 connected to the input of theregister 11 by means of the multiplexer 14,

the output of the register 11 connected to the first input of thesubtraction circuit 28,

the output of the register 12 connected to its input by means of themultiplexer 15,

the output of the register 12 connected to the second input of thesubtraction circuit 28 by means of the multiplexer 37,

the output of the register 12 connected to the second input of thesubtraction circuit 29,

the output of the subtraction circuit 28 connected to the first input ofthe subtraction circuit 29 by means of the multiplexer 42,

the output of the subtraction circuit 29 connected to the input of thetest circuit 35,

the output of the test circuit 35 connected to the input of the register40 by means of the multiplexer 41,

the output of the test circuit 35 connected to a selection input of themultiplexer 37,

the second input of the subtraction circuit 28 connected to a logic zeroby means of the multiplexer 37,

the input of the register 11 connected to a logic zero by means of themultiplexer 14,

the input of the register 12 connected to a first input terminal bymeans of the multiplexer 15,

the input of the register 12 connected to a second input terminal bymeans of the multiplexer 13,

the input of the register 40 connected to a third input terminal bymeans of the multiplexer 41, and

the output of the register 10 connected to an output terminal.

With the above-described device, it is possible to carry out an integerdivision of a first number encoded on 2* n bits by a second numberencoded on n bits, the result being encoded on 2* n bits. For thispurpose, the following steps are performed:

E1: the loading into the registers 40 and 10 of the first number, theregister 40 containing the n low-order bits of this first number and theregister 10 containing the n high-order bits of this first number, eachof these registers 40 and 10 having its most significant bit towards itsoutput and its least significant bit towards its input,

the resetting of the register 11 with zeros, which amounts to loadingzeros into this register 11,

the loading into the register 12 of the second number, the leastsignificant bit being close to the output and the most significant bitbeing close to its input,

the resetting of the test circuit, in order to carry out the connectionof the second input of the subtraction circuit 28 with a logic zero,

the resetting at zero of the subtraction circuits 28 and 29,

E2: the shifting by one bit of the registers 11 and 12, the register 11recovering the most significant bit of the register 10 as a mostsignificant bit, the register 12 having its output connected to itsinput, subtraction in the subtraction circuit 29 of the leastsignificant bit of the register 12 from the most significant bit of theregister 10, the subtraction circuit 28 performing a subtraction, fromthe least significant bit of the register 11, of zero,

E3: the shifting by n-1 bits of the registers 11 and 12, the output ofthe register 12 being connected to its input, the input of the register11 being connected to the output of the subtraction circuit 28, thesubtraction, from the n-1 bits coming out of the register 11, of zero inthe subtraction circuit 28, the subtraction, from the output of theresult coming out of the subtraction circuit 28, of the bits of theregister 12 in the subtraction circuit 29,

E4: the storage of a binary data element equal to the complement of thelast carry value of the subtraction circuit 29 into the test circuit 35and the production, at the output of this test circuit 35, of the binarydata element,

E5: the shifting, by one bit, of the registers 40 and 10, the mostsignificant bit of the register 40 being loaded as a least significantbit of the register 10, the binary data element stored in the testcircuit 35 being loaded as a least significant bit in the register 40,

E6: the resetting of the subtraction circuits 28 and 29,

E7: the repetition, 2*n-1 times, of the steps E2 to E6, the subtractioncircuit 28 performing a subtraction, from the contents of the register11, of zero if the binary data element stored is equal to zero, thesubtraction circuit 28 performing a subtraction, from the contents ofthe register 11, of the contents of the register 12 if the memorizedbinary data element is equal to one,

E8: the retrieval of the result at the output terminal by the shifting,by 2*n bits, of the registers 40 and 10, the output of the register 40being connected to the input of the register 10, the most significantbit coming out first, the remainder of the division being present in theregister 11.

A few comments need to be made on certain steps for a clearerunderstanding of what is done. The step E1 corresponds to the loading ofthe data elements and to resetting. The loading of the first number maybe done in two different ways, either at two input terminalssimultaneously in the registers 40 and 10 or by the third inputterminal, the register 10 being loaded by means of the register 40. Itis also possible to include, in this step, different operations for theresetting of elements of the coprocessor 1 which needs to be renderedtransparent for the efficient operation of the division circuit.

The steps E2, E3 and E4 amount to:

the subtraction in the subtraction circuit 38, from an intermediateresult contained in the register 11, of the second number contained inthe register 12 if the intermediate result is greater than the secondnumber,

the multiplication by two of the result of the subtraction performed inthe subtraction circuit 28 and the addition thereto of the mostsignificant bit of the register 10, and then the storage in the register11 of this new intermediate result,

the comparison of the new intermediate result, while it is beingproduced, with the second number by subtraction in the circuit 29, and

the storage of a binary data element representing the comparison thatcorresponds to the complement of the last carry value coming from thesubtraction of the subtraction circuit 29, this binary data elementbeing equal to "one" if the new intermediate result is greater than orequal to the second number or being equal to zero if the newintermediate result is smaller than the second number.

The step E4 may be identified with the last shift of the shift E3. Thisrequires a few modifications of the subtraction circuit 29 that thoseskilled in the art will be capable of performing. The modifications willbe aimed at obtaining the output of the carry value by anticipation.

The step E5 is used to store the binary data element as being a bit ofthe result of the division and shifts all the bits of the first numberthus changing the most significant bit to be considered. This step maybe performed during one of the steps E2, E3 or E4. In this case, it isnecessary to add a step E5 after the step E7.

The step E6 is used to eliminate the carry values of the previoussubtraction operations. It may be done asynchronously, immediately afterthe storage of the binary data element.

A status report of the time used indicates that, in the most favorablecases:

the step E1 uses n clock cycles,

the step E2 uses 1 clock cycle,

the step E3 uses n-1 clock cycles,

the step E4 uses 1 clock cycle,

the step E5 uses 1 clock cycle,

the step E6 uses 1 clock cycle,

the step E7 uses 2*n-1 times the steps E2 to E6, giving (2*n-1)*(n+3)clock cycles,

the step E8 uses 2*n clock cycles.

This leads to a total of 2*n*(n+4)+n clock cycles. 3*n cycles are neededfor the exchange of data between the coprocessor and the memory. It isknown that the access times for the memories are sometimes lengthy ifone and the same clock frequency is used for the loading and theprocessing. This clock frequency must therefore depend on the accesstime of the memory. The invention proposes the use of two clockfrequencies, one for the loading and one for the processing, in order toovercome this problem.

Other modifications that result from the simultaneous nature of certainsteps enables a diminishing of the total number of cycles up to amaximum of 6* n clock cycles.

It can be seen in the time status report that the n-bit size of theregisters affects the number of clock cycles needed to carry out thedivision. This influence will be minimized inasmuch as the first andsecond numbers have a real size close to the maximum size of theregisters. In order that this may be true in a large number of cases, itis possible to use registers of variable size. Those skilled in the artcould, for example, draw inspiration from registers shown in thedocument D1 in FIG. 3, by using a greater number of divisions of eachregister.

Thus, it is possible to have a register 40 with a size n', a register 10with a size n", and registers 11 and 12 with a size n(3). Themodification of the method is limited in the step E3 to carrying out ashift of n(3)-1 bits instead of n-1 bits and in the step E7 to repeatingthe steps n'+n" times instead of 2* n times.

In FIG. 3, the division circuit of FIG. 2 has been added to thecoprocessor 1 of FIG. 1. FIG. 3 shows only one example of integrationamong several possibilities.

As compared with the coprocessor 1 of FIG. 1, the register 40 and themultiplexers 41 and 42 have been added. Furthermore, certain elementsalready present have been modified. Thus, the multiplexer 13 has anadditional input connected to the output of the register 40. Themultiplexer 14 has two additional inputs, one connected to the output ofthe register 10 and the other connected to the output of the subtractioncircuit 28. Other elements are modified in a non-visible way in FIG. 3.The test circuit 35 is designed to detect carry values. The output whichis connected to the selection input of the multiplexer 37 must beprovided with an inverter to verify the functionality of the divisioncircuit. This also leads to a reversal of the inputs of the multiplexer37. The delay circuits 32, 33 and 34 have no use for the division. Theyare modified to give rise to both zero delays and to the delays neededfor the running of modular operations. It is, possible for example toadd multiplexers to the delay circuits 32, 33 and 34 in order to shuntthem.

In the circuit, as modified, certain elements of the coprocessor have tobe made transparent. Thus, during the running of a division, themultiplexers 25, 26 and 36 have to make a connection between theiroutputs and their inputs connected to logic zeros. The multiplexer 38must make a connection between its output and the output of the register12.

Modifications of the progress of the division operation must be providedfor. The adders 30 and 31 each add a delay of one clock cycle. Thesubtraction circuit 27 prompts a delay that must be compensated for byan anticipation of one clock cycle on the step E2.

To avoid this anticipation of one cycle of the step E2, it is possibleto connect the input of the multiplexer 42 upline with respect to thesubtraction circuit 27. It is also possible to place the multiplexer 42downline with respect to the adder 30.

To avoid having an input of the multiplexer 14 connected to the outputof the subtracter circuit 28, it is possible to shift the multiplexer 42between the adder 31 and the subtraction circuit 29. The connection ofthe output of the subtraction circuit 28 to the input of the register 11is done by means of the addition circuit 31 whose output is alreadyconnected to an input of the multiplexer 14. With a modification of thiskind, the step E2 must be delayed by one or two clock cycles dependingon whether the connection between the multiplexer 42 and the output ofthe register 10 is done downline or upline with respect to thesubtraction circuit 27.

One improvement may also be contemplated by modifying the adders 30 and31 so that they do not prompt any additional delay cycles.

These few examples of possible modifications with respect to FIG. 3 willenable those skilled in the art to achieve the invention according topreference. Those skilled in the art could also use other possibilitiesof integration without departing from the framework of the invention.

What is claimed is:
 1. A modular arithmetic coprocessor designed toperform computations according to the Montgomery method comprising adivision circuit, the division circuit comprising a test circuit havingone input and one output to perform integer divisions by numbers thatare different from a power of two, wherein the integer division circuitcomputes the division of a binary code A encoded on n'+n" bits by abinary data element B encoded on n bits, A, B, n, n' and n" beingnon-zero integers, and wherein the integer division circuit comprises:afirst n'-bit register and a second n"-bit register to contain the binarydata element A and the result of the division, an output of the firstregister being connected to an input of the second register, the outputof the test circuit being connected to the input of the first register;a third n-bit register to contain an intermediate result, an output ofthe second register being connected to an input of the third register; afourth n-bit register to contain the binary data element B, the outputof the fourth register is connected to its input; and twocascade-connected subtraction circuits each having a first series inputand a second series input and a series output, the output of the thirdregister is connected to the first input of the first subtractioncircuit; the output of the fourth register is connected to the secondinput of the second subtraction circuit; the output of the secondsubtraction circuit is connected to the input of the test circuit; theoutput of the second register is connected to the first input of thesecond subtraction circuit; the output of the first subtraction circuitis connected to the input of the third register; the output of thefourth register is connected to the second input of the firstsubtraction circuit; the output of the first subtraction circuit isconnected to the first input of the second subtraction circuit.
 2. Acoprocessor according to claim 1, wherein the first, second, third andfourth registers are shift registers.
 3. A coprocessor according toclaim 1, wherein:the second input of the first subtraction circuit isconnected to a logic zero, the input of the first register is connectedto an output of a first multiplexer, the first multiplexer having twoinputs respectively connected to the output of the test circuit and to afirst input terminal, the input of the second register is connected toan output of a second multiplexer, the second multiplexer having twoinputs respectively connected to the output of the first register and toa second input terminal, the input of the third register is connected toan output of a third multiplexer, the third multiplexer having an inputconnected to the output of the second register and receiving a logiczero on a second input, the input of the fourth register is connected toan output of a fourth multiplexer, the fourth multiplier having a firstinput connected to its output and a second input connected to a thirdinput terminal, the second input of the first subtraction circuit isconnected to an output of a fifth multiplexer; the first input of thesecond subtraction circuit is connected to an output of a sixthmultiplexer; and a selection input of the fifth multiplexer is connectedto the output of the test circuit.
 4. A coprocessor according to claim1, wherein the cells of the first and second registers placed close tothe output of said first and second registers and the cells of the thirdand fourth registers placed close to the input of said third and fourthregisters receive the most significant bits of the data elementscontained therein.
 5. A coprocessor according to claim 1, wherein thefirst, second, third and fourth registers are of variable sizes.
 6. Acoprocessor according to claim 1, wherein the first, second, third andfourth registers have an identical n-bit size.
 7. A coprocessoraccording to claim 1, wherein the test circuit comprises a storageelement designed to memorize a carry value coming from the secondsubtraction circuit, and wherein the output of the test circuit gives adata element corresponding to a complement of this carry value.
 8. Acoprocessor according to claim 1, wherein the remainder of the divisionis contained in the third register.
 9. A coprocessor according to claim1 wherein the output of the test circuit is connected to the input ofthe first register.
 10. A method for carrying our-an integer division ofa first number, encoded on n'+n" bits, by a second number, encoded on nbits, by means of a modular arithmetic coprocessor comprising:a firstn-bit shift register, a second n-bit shift register, a third n-bit shiftregister and a fourth n-bit shift register, a first series subtractioncircuit and a second series subtractiorL circuit, a test circuit,wherein said method comprises the following steps: E1: the loading, intothe first and second registers, of the first number, the resetting ofthe third register with zeros, the loading into the fourth register ofthe second number, the resetting at zero of the test circuit and of thesubtraction circuits, E2: the shifting, by one bit, of the third andfourth registers, the third register recovering, as a most significantbit, the most significant bit of the second register, the fourthregister having its output connected to its input, the subtraction, inthe second subtraction circuit, of the least significant bit of thefourth register from the most significant bit of the second register,the first subtraction circuit performing a subtraction of zero from theleast significant bit of the third register, E3: the shifting by n-1bits of the third and fourth registers, the output of the fourthregister being connected to its input, the input of the third registerbeing connected to the output of the first subtraction circuit, thesubtraction of zero from the n-1 bits coming out of the third registerin the first subtraction circuit, the subtraction, from the output ofthe result coming out of the first subtraction circuit, of the bits ofthe fourth register, E4: the storage of the last carry value of thesecond subtraction circuit in the test circuit and the production, atthe output of this test circuit, of a binary data element whose value isequal to the complement of the memorized carry value, E5: the shiftingby one bit of the first and second registers, the most significant bitof the first register being loaded as a least significant bit of thesecond register, the binary data element memorized in the test circuitbeing loaded as a least significant bit in the first register, E6: theresetting of the first and second subtraction circuits, E7: therepetition, 2*n-1 times, of the steps E2 to E6, the first subtractioncircuit performing a subtraction, from the contents of the thirdregister, of zero if the previously memorized carry value is equal toone, the first subtraction circuit performing a subtraction, from thecontents of the third register, of the contents of the fourth registerif the previously memorized carry value is equal to zero.
 11. A methodaccording to claim 10, wherein the steps; run during other steps.
 12. Amodular arithmetic coprocessor designed to perform computationsaccording to the Montgomery method comprising a division circuit, thedivision circuit Comprising a test circuit having one input and oneoutput to perform integer divisions by numbers; that are different froma power of two, wherein the integer division circuit computes thedivision of a binary code A encoded on n'+n" bits by a binary dataelement B encoded on n bits, A, B, n, n' and n" being non-zero integers,and wherein the integer division circuit comprises:a first n'- bitregister and a second n"-bit register to contain the binary data elementA and the result of the division, a third n-bit register to contain anintermediate result, a fourth n-bit register to contain the binary dataelement B, two cascade-connected subtraction circuits each having afirst series input and a second series input and a series output a firstinput terminal coupled to the input of the first register, a secondinput terminal coupled to the input of the second register, the outputof the first subtraction circuit is connected to the input of the thirdregister, a third input terminal coupled to the input of the fourthregister, said subtraction circuits receiving at inputs outputs fromsaid second, third and fourth registers, and the output of the secondsubtraction circuit is connected to the input of the test circuit.
 13. Acoprocessor according to claim 12, wherein:the output of the thirdregister is connected to the first input of the first subtractioncircuit, and the output of the fourth register is connected to thesecond input of the second subtraction circuit.
 14. A coprocessoraccording to claim 13, wherein:the output of the first register isconnected to the input of the second register and the output of thesecond register is connected to the input of the third register.
 15. Acoprocessor according to claim 14, wherein:the output of the secondregister is connected to the first input of the second subtractioncircuit and the output of the fourth register is connected to its input.16. A coprocessor according to claim 15, wherein:the output of thefourth register is connected to the second input of the firstsubtraction circuit and the output of the first subtraction circuit isconnected to the first input of the second subtraction circuit.
 17. Acoprocessor according to claim 16, wherein:the output of the testcircuit is connected to the input of the first register.
 18. Acoprocessor according to claim 17, further including first, second,third, fourth fifth and sixth multiplexers.
 19. A coprocessor accordingto claim 18, wherein:the input of the first register is connected to anoutput of the first multiplexer and the input of the second register isconnected to an output of the second multiplexer.
 20. A coprocessoraccording to claim 19, wherein:the input of the third register isconnected to an output of the third multiplexer and the input of thefourth register is connected to an output of a fourth multiplexer.
 21. Acoprocessor according to claim 20, wherein:the second input of the firstsubtraction circuit is connected to an output of a fifth multiplexer andthe first input of the second subtraction circuit is connected to anoutput of the sixth multiplexer.
 22. A coprocessor according to claim21, wherein:a selection input of the fifth multiplexer is connected tothe output of the test circuit.
 23. A coprocessor according to claim 12,wherein:the second input of the first subtraction circuit is connectedto a logic zero.
 24. A coprocessor according to claim 23, wherein:theinput of the third register is connected to a logic zero.